What Is Session Hijacking?

Benjamin Scott
cookie hijacking

Session hijacking is a cyberattack that has been around for a while. Hackers utilize the underlying internet technology to perform this attack, so it’s not likely to disappear anytime soon. And even though session hijacking is hard to spot until it’s too late, there are a few things users can do to make sure their connections and data are safe.

Sessions and cookies

Whenever you go online, the website you’re visiting and your browser initiate a session. They exchange information to identify each other, and the site sends a session cookie (among others) to maintain that authentication throughout your session.

Cookies are small files that contain information about users. For example, a session cookie allows an online shop to know what you put in your shopping cart even after you left the page. Because of cookies, online forms offer suggestions based on the things you have previously entered into them. It’s also how you get ads specifically tailored for you: look at a pair of sneakers on Amazon, and their image will follow you all over the internet for days.

Cookies can be intrusive, but they are convenient nonetheless. You don’t have to log in every time you visit a social network, reassemble your shopping cart, and the pages you often visit load a bit faster. Unfortunately, if you are not careful, cookies might get you in trouble.

How does session hijacking work?

At its very core, a session hijacking attack is a cookie theft. If you log into your social media account on a library computer, the website sends a session cookie so that you don’t get logged out on the next page. If someone was to steal that cookie, they could pretend to be you and cause a lot of damage.

An attacker could see all the information that’s in your account, like your name, email, phone number, address, credit card details, etc. They can purchase something and use your card to pay for it or spam your contact list with phishing links.

Types of session hijacking

There are a few different ways a session hijacking attack can be performed:

  1. Session side-jacking. It could happen when you connect to an unsecured network, like a public Wi-Fi. An attacker can intercept or eavesdrop on a connection and see what other people on the same network are doing online. If the site you’re visiting doesn't use TLS encryption everything you do on the website will be visible to the snooper — including your session cookies. So, the attacker can continue your session even after you’ve disconnected.

  2. IP spoofing. It’s a man-in-the-middle attack, similar to session side-jacking. The attacker uses this technique to pretend to be you from the get-go. When you try to connect to a website, you need to perform a TCP handshake. If you’re connecting through an unsecured Wi-Fi, the hacker will get in the middle of this three-way handshake just before the third step. They will use (spoof) your IP address to trick the server into thinking that it’s you and perform the third part of the TCP handshake. From this point forward, they can receive all the cookies and communicate with the website in your name.

  3. Brute-force attack. It works the same way all brute-force attacks do. The cybercriminal will try all possible session tokens and hope that they will guess the right one and will be able to take control of your account.

  4. Session fixation. You can think of it as session hijacking, but inverted. So instead of stealing a valid, existing session cookie, during session fixation the attacher plants a predefined session cookie into the victim's browser. Once the victim logs into a website, they will inevitably use the same session cookie that the attacker has planted and already knows, and thus the attacker-owned cookie is now authenticated and can be exploited.


How to prevent session hijacking?

  • Never connect to an unsecured Wi-Fi. Use your mobile data while you lounge at a coffee shop — it’s much safer. If you do connect to a public hotspot, don’t enter any personal information, like login credentials or credit card details.

  • Do you travel a lot, and airport/hotel Wi-Fi is an inseparable part of your work? Then use a VPN to encrypt your internet connection.

  • Check every app and piece of software before you download it. Make sure the developer is trustworthy and that it’s not a scam. Some apps are designed to look like the real thing, but once you install them, malware spreads in your device.

  • Get an antimalware tool to protect your devices. It will not only stop any session hijacking attempts but will ensure the safety of your data and online accounts as well.

  • Pay attention online. Phishing and scareware depend on our emotions to cloud our judgment. If you get an email telling you that someone tried to log into your account and you should act now, don’t just click on the link. Check the sender — does it look like a legitimate email address? Are there any typos in the text? Do the fonts seem off? If anything seems off, it might be a phishing email. You should open a new tab and go to the allegedly hacked account yourself to see if something really happened.

Subscribe to NordPass news

Get the latest news and tips from NordPass straight to your inbox.